Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities
-
@stepinsky We do have a newsletter that you can subscribe to, however, it is published once a month and not just when there are updates. When we have updates like this one it will be published on the forum, pfSense and Netgate Reddit, our blog, and on the Netgate/pfSenseTwitter.
-
@steve_b Thanks for the explanation, that makes sense. And did not know about the RSS widget, thanks again!
-
noob questions ...
Will the 'reinstall packages' button under the Diagnostics>backup&restore....do that same thing? -
The "Reinstall packages" button reinstalls user-selected/installed packages E.g.: Snort or pfBlockerNG. The packages that are the subject of this notice are required, built-in packages so the command line way is the only way for now.
-
@redtech116 said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:
einstall packages' button under the Diagnosti
You can enable SSH via System -> Advanced - Secure Shell Server - tick enable then click save.
You will then be able to connect to your Firewall via putty. I disabled ssh after doing what needs to be done as I prefer to use the web gui instead and don't need another open path to my device.
-
@marekandreansky said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:
I prefer to use the web gui instead and don't need another open path to my device
Well ...
This time
(the RSS feed in the GUI)
and this :
(part of the Newsletter mail received today, Feb 21, 2019)talks about using the console access.
Upgrading NGINX - as you might know, this is the web server of the GUI - shouldn't be done using the same GUI.
It might work of course - but if anything goes wrong, you're locked out.The SSH (console access) is using worlds best protected access method (paired with some public/private keys) - the GUI is only and will always be next-best.
In this case, it's just a question of login using Putty - go option 8 and pasting the commandspkg update; pkg upgradelet it do its job, and
exit [enter]
and
0 [enter](test you GUI ^^)
-
It's a little problematic that the last 2.4.5 DEVEL version broke the backup functionality, and won't be updated until 2.5.0 snapshots come out -- but the instructions here are to backup the full config before the pkg update/upgrade.
https://redmine.pfsense.org/projects/pfsense/repository/revisions/e0b32eb9e6b040fd14025b5c32644959ba67250e
-
Noob question: I'm currently on 2.4.4-RELEASE-p1. Does the warning message mean that by upgrading to 2.4.4-p2 these security related packages are updated as well?
-
@callen said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:
Noob question: I'm currently on 2.4.4-RELEASE-p1. Does the warning message mean that by upgrading to 2.4.4-p2 these security related packages are updated as well?
@dennis_s said in Update pfSense packages to protect against NGINX, libzmq4, and curl vulnerabilities:
Warning: If you are running a version of pfSense prior to 2.4.4-p2 simply update to that version to benefit from these changes.
It's even written in red, so improve your reading skills.
-
@grimson thanks for not being a jerk about my message. Makes me want to continue to ask questions when I'm not sure.
-
@callen If unsure ask away. Maybe it's clear but asking for clarification never hurts. Not everyone got up on the wrong side of bed ;)
-
I updated using the Diagnostics / Command Prompt as a lazy mans way around SSH or console access.
Execute Shell Command: pkg update; pkg upgrade -y
-
Glad I saw this posted somewhere on the forum my box is updated, a little different as this time i upgraded from a Mac
